I have a two-parter:
I set up a LAN to LAN VPN yesterday (following this juniper kb article) and it was almost working, so I found another guide and went through the process of making route entries for the static IP addresses, after that everything was working fine. This morning, I got up and it was no longer functional.
Upon further inspecting the settings, I found that my routing entries didn't look quite right. On site-A's firewall I used the settings:
- site-B's Static IP (let's say 12.345.67.89) which is the IP address I can ping
- Subnet mask 30
- Gateway site-A's Static IP (987.654.32.10)
- Interface e0/0
I reversed these settings for site-B, though site-A's subnet is different.
The problem is that the routes come up with a different IP/Netmask entry, where on site-A settings, site-B's Static IP reads 12.345.67.87. Similarly, site-B's settings read site-A's Static IP as: 987.654.32.08. In short, the issue is that the last two digits of the IP address is 2 less than what I initially entered.
- Is it normal for the ip addresses to display differently like that?
- Does anyone have any suggestions as to why my VPN is no longer functional?
Note
Using just the Juniper KB article, I am able to create an almost functional VPN where both firewalls report an Active tunnel. Also, my DHCP server (a Windows machine) shows entries for the workstations on site-B, but I cannot ping them nor can they browse the internet, ping me, or access their networked drives (which are hosted at site-A).
Both sites use a Juniper SSG5 firewall
Thanks in advance for any help!
Edit - Providing more information
From any computer on site-A, I can ping two private IP addresses that are on site-B: 172.16.100.50 which is the interface ip address for bgroup0 on the site-B firewall and 172.16.100.53 which is a workstation that the site-B office can't seem to physically locate.
From any computer on site-B, pinging a private IP addresses on site-A (172.16.10.12) gets no reply.
When logged into either firewall via PuTTY I cannot ping any of the LAN ip addresses (eg pinging from site-A to site-B 172.16.100.56, and pinging from site-B to site-A 172.16.10.12), but I can ping the static WAN IP addresses of each device.
The 2nd article that I reference suggests that I needed to also create routes for the static IP WAN addresses, those are the addresses that I'm referring to in my OP. The netmasks that I'm using I obtained from each site's ISP. Site-A's netmask is 29 and Site-B's netmask is 30
Couple of notes: I couldn't set the policies to route because the tunnel.1 interface was bound to the VPN already. I'm not really concerned with that, I figure it's because if I had the ability to, it'd be blurring the lines between a route-based and policy-based vpn.
My solution evolved around what you suggested with the bgroup1 ip (172.16.100.50).
I deleted that dhcp scope (which started at that ip) and built a new scope. Then I changed the ip in the firewall. Site-B is reporting internet and networked drives work!
Thanks so much for your help! – Kyle May 03 '12 at 16:11